Information technology (IT) is rightly associated with everything new and the future. After all, it is constantly and incessantly driving forward the way we live. Understandably it is easy to underestimate the role of legacy technology in modern infrastructures. Hidden in industrial plants, financial institutions or hospitals, these old systems silently keep everything running – until they fail. At that moment, their strategic importance becomes clear, and the lack of preparation can turn into business-critical downtime.

A Monday Morning Story

Monday morning, on a production line. After the final machining steps, a critical piece is ready for quality control. It is prepared and moved to the measuring machine: A Zeiss Prismo, early 2000s model. The system is controlled by a dedicated software package, running on the same computer since its installation, placed in a corner of the laboratory.

But the computer does not start. Several attempts fail. Long and short beeps suggest many possible causes. The experts are called in. We open the case: wiggle some connectors, the IDE cable of the hard disk, the expansion cards, the power plugs. Still nothing. Looking closer, the video card shows a dark stain near a capacitor. A typical failure of old hardware. The problem is identified, but how do we quickly fix it? Measurements must be completed till Thursday, or hefty contractual penalties will apply.

The first step is to clone the disk. Somewhere, we still have an old IDE cloner. With the image completed, we attempt to boot it inside VMware. The familiar Windows 2000 logo appears. The application starts, but runs too fast. We need to slow the VM down, search for original drivers, adjust registry settings. For me, this is like driving my first Renault 4 uncomfortable, spartan, minimal controls. The younger engineers behind us watched in disbelief.

After several trials, and revisiting the nightmare of DL-Hell long before containers, the application eventually runs. But it requires a 9-pin serial port. Adapters, more tuning, and three days of work later, we finally succeed. We have virtualised a small piece of an old system – an unnoticed cog in a complex machine, essential for years without anyone paying attention.

The Ubiquity of Legacy Systems

Although the industry constantly speaks about cloud, containerisation and software-defined networks, countless computers in industrial and corporate environments were never updated. Their applications never evolved, and so they remain frozen in time. These relics are often invisible to automated discovery processes. Nobody dares to install an EDR agent: Never touch a running system is the unwritten rule, especially if it is known to be fragile. And in any case, modern security tools no longer support them.

Legacy technology exists in many different forms. In banking and insurance, mainframes still execute millions of COBOL transactions every day. In large datacentres, magnetic tapes continue to be the most cost-effective medium for long-term storage. In hospitals and universities, Solaris, HP-UX or AIX servers continue to power critical applications. In factories, Windows XP, Windows 7 and even MS-DOS machines silently control CNC equipment and medical devices. Programming languages once declared obsolete like FORTRAN, Assembly, Perl, Visual Basic 6 are still active in science, defence and office automation. Fax machines, ISDN lines and unencrypted protocols such as Telnet or FTP persist in some networks because of legal, compatibility or operational constraints.

This is not nostalgia. It is reality. The systems work, they provide essential functions, and their replacement is expensive and risky. As a result, they remain in production far longer than initially planned, becoming part of the critical infrastructure of many organisations.

Security Challenges

The presence of legacy technology is not only an operational burden but also a serious security concern. Operating systems such as Windows XP, Windows 7 or Solaris no longer receive security patches, leaving them permanently exposed to well-known exploits. Legacy applications written in COBOL or FORTRAN may still process critical data, but lack secure coding practices, input validation or encryption. They become easy entry points for SQL injection or buffer overflow attacks.

Hardware and communication protocols represent another weak spot. Telnet and FTP still transmit credentials in clear text. Industrial controllers in SCADA networks were never designed with authentication in mind. Even fax machines, still used in hospitals and public administration, can be abused as an attack vector. In industrial and medical contexts, the inability to patch or upgrade devices means that vulnerabilities are permanent. At the same time, compliance with frameworks such as NIS2 or GDPR becomes almost impossible.

Finally, the human factor cannot be ignored. Many of these systems are poorly documented, maintained by a single ageing expert or even by external contractors who possess the only operational knowledge. This creates dangerous single points of failure. When such a person retires or becomes unavailable, the continuity of entire processes may be at risk.

Our Approach

At scip AG, we have more than thirty years of experience working with both cutting-edge and obsolete technologies. We help organisations deal with these hidden risks through a structured approach. Our first step is always an assessment. We perform vulnerability analyses and penetration tests tailored for outdated systems and protocols, and we measure compliance gaps against standards such as ISO 27001, PCI DSS or NIS2.

Over the decades, we have built up a body of expertise that spans different layers of computer technologies. We spent countless hours programming in Pascal, Modula, Perl, Rexx, building and troubleshooting Solaris clusters with shared SCSI buses, and maintaining Frame Relay networks long after the industry moved on. We dealt with Data Link Switching to bridge Token Ring into Ethernet, and configured Novell IPX when TCP/IP was not yet dominant or integrated TCP/IP into AS/400 and OS/2 systems. We managed NFR and Raptor, Checkpoint, StoneBeat firewalls, deployed Entrust CA infrastructures, and worked with many other products and protocols that have disappeared from most environments but are still running critical processes in some companies today.

In the following years, we also analysed the security of cutting-edge technologies (or those marketed as such): From virtual machines to containers, from software-defined networks to the emerging programming paradigms at the hardware/software boundary.

All of these experiences allow us to bridge the gap between legacy and modern systems. We know that production environments are rarely homogeneous, and that shadow systems and outdated protocols often represent the weakest link in an otherwise well-secured infrastructure. By combining our historical knowledge with state-of-the-art security methodologies, we provide realistic and effective assessments from code reviews to compliance audits, ensuring that legacy does not become liability.

When patching is no longer possible, we design compensating measures. These include virtual patching through intrusion prevention systems, strict segmentation of legacy networks, or the deployment of bastion hosts with multifactor authentication to control access. Encryption of communications, removal of weak protocols, and centralised logging help to strengthen an otherwise fragile environment.

In parallel, we work with our clients on continuity planning and progressive modernisation. Backup and disaster recovery strategies are adapted to legacy platforms. Interfaces are encapsulated in secure API gateways to expose necessary functions without altering the fragile core. Finally, we help to design safe migration paths for example, moving workloads from AS/400 systems to cloud environments, while focusing on the differences and the essential security measures required to ensure safe operation in the new landscape.

Summary

Legacy systems will not disappear overnight. They are hidden, underestimated, but indispensable. Each year they grow more critical and more fragile. To our clients, we offer:

• Assessment and audit of legacy systems, networks and compliance posture.
• Code analysis, focused penetration tests and reverse engineering of obsolete platforms.
• Protection through virtual patching, segmentation, access control and hardening.
• Continuity planning and gradual modernisation, from backup to migration.
• Strategic guidance: Secure today, plan the replacement tomorrow.

Conclusion

Legacy technology is everywhere. It does not attract attention until it fails, but then it can stop an entire production line, delay deliveries and generate contractual penalties. Addressing these risks requires both deep technical expertise and sensitivity to operational realities. With decades of hands-on experience, scip AG is uniquely positioned to help organisations secure, integrate and progressively modernise their legacy infrastructure before the next Monday morning surprise.

About the Author

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in security frameworks, network routing, firewalling and log management.

Links

• https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
• https://scip.ch/publikationen/flyer/scip_company-flyer_plusTeams_2024_v01-de.pdf
• https://www.iso.org/isoiec-27001-information-security.html
• https://www.pcisecuritystandards.org/
• https://www.renault.co.uk/icons-cars/4l-60th-anniversary.html
• https://www.scip.ch/?defense_securityreview_rapidsecurityassessment
• https://www.scip.ch/?offense
• https://www.zeiss.ch/messtechnik/systeme/koordinatenmessgeraete/portalmessgeraete/prismo-familie/prismo-ultra.html